Handling of invalid packets

Peter Benie pjb1008@cam.ac.uk
Thu, 30 Sep 1999 11:15:59 +0100


Paul Rusty Russell writes ("Re: Handling of invalid packets "):
> In message <E11WH3k-0007Yn-00@taurus.cus.cam.ac.uk> you write:
> > >	/* Let locally-generated evil packets through. */
> > 
> > Yuck! Surely there's a cleaner way to do that?
> 
> Yep, for 0.1.10 I moved it into a separate hook function for
> local-out, to avoid the test in ipt_hook.
> 
> But the packet filter code assumes a valid IP header (it's far
> easier); this can be violated with root and raw sockets.  What do you
> suggest?

The test is to prevent a program that hasn't been written yet from
violating an assumption made elsewhere in the code. I think that
justifies a comment in the code saying what the test is for (rather
than what the test does, which we can see anyway).

Peter